nextcloud · YoitoFes · Sep 1, 2021 · Sep 3, 2021 · Sep 3, 2021
diff --git a/README.md b/README.md
@@ -31,7 +31,7 @@ Once configured, the folders will show up in the home folder for each user in th
 
 _Advanced Permissions_ allows entitled users to configure permissions inside groupfolders on a per file and folder basis.
 
-Permissions are configured by setting one or more of "Read", "Write", "Create", "Delete" or "Share" permissions to "allow" or "deny". Any permission not explicitly set will inherit the permissions from the parent folder. If multiple configured advanced permissions for a single file or folder apply for a single user (such as when a user belongs to multiple groups), the "allow" permission will overwrite any "deny" permission. Denied permissions configured for the group folder itself cannot be overwritten to "allow" permissions by the advanced permission rules.
+Permissions are configured by setting one or more of "Read", "Write", "Create", "Delete" or "Share" permissions to "allow" or "deny". Any permission not explicitly set for a user/group will inherit the user/group's permissions from the parent folder. If multiple configured advanced permissions for a single file or folder apply for a single user (such as when a user belongs to multiple groups), the "allow" permission will overwrite any "deny" permission. Denied permissions configured for the group folder itself cannot be overwritten to "allow" permissions by the advanced permission rules.
 
 ![advanced permissions](screenshots/acl.png)
 

diff --git a/lib/ACL/ACLManager.php b/lib/ACL/ACLManager.php
@@ -122,10 +122,21 @@ public function getACLPermissionsForPath(string $path): int {
 		$path = ltrim($path, '/');
 		$rules = $this->getRules($this->getParents($path));
 
-		return array_reduce($rules, function (int $permissions, array $rules) {
-			$mergedRule = Rule::mergeRules($rules);
-			return $mergedRule->applyPermissions($permissions);
-		}, Constants::PERMISSION_ALL);
+		$inheritedPermissionsByMapping = [];
+		array_walk_recursive($rules, function($rule) use(&$inheritedPermissionsByMapping) {
+			$mappingKey = $rule->getUserMapping()->getType() . '::' . $rule->getUserMapping()->getId();
+			if (!isset($inheritedPermissionsByMapping[$mappingKey])) {
+				$inheritedPermissionsByMapping[$mappingKey] = Constants::PERMISSION_ALL;
+			}
+			$inheritedPermissionsByMapping[$mappingKey] = $rule->applyPermissions($inheritedPermissionsByMapping[$mappingKey]);
+		});
+		if (empty($inheritedPermissionsByMapping)) {
+			return Constants::PERMISSION_ALL;
+		}
+
+		return array_reduce($inheritedPermissionsByMapping, function (int $mergedParmission, int $permissions) {
+			return $mergedParmission | $permissions;
+		}, 0);
 	}
 
 	/**
@@ -138,15 +149,25 @@ public function getPermissionsForTree(string $path): int {
 		$path = ltrim($path, '/');
 		$rules = $this->ruleManager->getRulesForPrefix($this->user, $this->getRootStorageId(), $path);
 
-		return array_reduce($rules, function (int $permissions, array $rules) {
-			$mergedRule = Rule::mergeRules($rules);
-
-			$invertedMask = ~$mergedRule->getMask();
+		$inheritedPermissionsByMapping = [];
+		array_walk_recursive($rules, function($rule) use(&$inheritedPermissionsByMapping) {
+			$mappingKey = $rule->getUserMapping()->getType() . '::' . $rule->getUserMapping()->getId();
+			if (!isset($inheritedPermissionsByMapping[$mappingKey])) {
+				$inheritedPermissionsByMapping[$mappingKey] = Constants::PERMISSION_ALL;
+			}
+			$invertedMask = ~$rule->getMask();
 			// create a bitmask that has all inherit and allow bits set to 1 and all deny bits to 0
-			$denyMask = $invertedMask | $mergedRule->getPermissions();
+			$denyMask = $invertedMask | $rule->getPermissions();
 
 			// since we only care about the lower permissions, we ignore the allow values
-			return $permissions & $denyMask;
-		}, Constants::PERMISSION_ALL);
+			$inheritedPermissionsByMapping[$mappingKey] = $inheritedPermissionsByMapping[$mappingKey] & $denyMask;
+		});
+		if (empty($inheritedPermissionsByMapping)) {
+			return Constants::PERMISSION_ALL;
+		}
+
+		return array_reduce($inheritedPermissionsByMapping, function (int $mergedParmission, int $permissions) {
+			return $mergedParmission | $permissions;
+		}, 0);
 	}
 }
diff --git a/lib/ACL/Rule.php b/lib/ACL/Rule.php
@@ -117,28 +117,4 @@ public static function xmlDeserialize(Reader $reader): Rule {
 			(int)$elements[self::PERMISSIONS]
 		);
 	}
-
-	/**
-	 * merge multiple rules that apply on the same file where allow overwrites deny
-	 *
-	 * @param array $rules
-	 * @return Rule
-	 */
-	public static function mergeRules(array $rules): Rule {
-		// or'ing the masks to get a new mask that masks all set permissions
-		$mask = array_reduce($rules, function (int $mask, Rule $rule) {
-			return $mask | $rule->getMask();
-		}, 0);
-		// or'ing the permissions combines them with allow overwriting deny
-		$permissions = array_reduce($rules, function (int $permissions, Rule $rule) {
-			return $permissions | $rule->getPermissions();
-		}, 0);
-
-		return new Rule(
-			new UserMapping('dummy', ''),
-			-1,
-			$mask,
-			$permissions
-		);
-	}
 }
diff --git a/tests/ACL/ACLManagerTest.php b/tests/ACL/ACLManagerTest.php
@@ -24,7 +24,7 @@
 use OCA\GroupFolders\ACL\ACLManager;
 use OCA\GroupFolders\ACL\Rule;
 use OCA\GroupFolders\ACL\RuleManager;
-use OCA\GroupFolders\ACL\UserMapping\IUserMapping;
+use OCA\GroupFolders\ACL\UserMapping\UserMapping;
 use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\Mount\IMountPoint;
@@ -38,7 +38,7 @@ class ACLManagerTest extends TestCase {
 	private $user;
 	/** @var ACLManager */
 	private $aclManager;
-	/** @var IUserMapping */
+	/** @var UserMapping */
 	private $dummyMapping;
 	/** @var Rule[] */
 	private $rules = [];
@@ -57,7 +57,7 @@ protected function setUp(): void {
 		$this->aclManager = new ACLManager($this->ruleManager, $this->user, function () use ($rootFolder) {
 			return $rootFolder;
 		});
-		$this->dummyMapping = $this->createMock(IUserMapping::class);
+		$this->dummyMapping = $this->createMock(UserMapping::class);
 
 		$this->ruleManager->method('getRulesForFilesByPath')
 			->willReturnCallback(function (IUser $user, int $storageId, array $paths) {
@@ -89,4 +89,24 @@ public function testGetACLPermissionsForPath() {
 		$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_SHARE, $this->aclManager->getACLPermissionsForPath('foo/bar'));
 		$this->assertEquals(Constants::PERMISSION_ALL, $this->aclManager->getACLPermissionsForPath('foo/bar/sub'));
 	}
+
+	public function testGetACLPermissionsForPathWithMultipleMappings() {
+		$anoterMapping = new UserMapping('group', 'test');
+		$this->rules = [
+			'foo' => [
+				new Rule($this->dummyMapping, 10, Constants::PERMISSION_ALL, Constants::PERMISSION_READ), // read only for dummyMapping
+				new Rule($anoterMapping, 10, 0, 0) // allow all for anotherMapping
+			],
+			'foo/bar' => [
+				new Rule($this->dummyMapping, 10, Constants::PERMISSION_UPDATE, Constants::PERMISSION_UPDATE), // add write for dummyMapping
+				new Rule($anoterMapping, 10, Constants::PERMISSION_UPDATE, 0) // deny write for anotherMapping
+			],
+			'foo/bar/sub' => [
+				new Rule($this->dummyMapping, 10, Constants::PERMISSION_ALL, 0) // deny all for dummyMapping
+			]
+		];
+		$this->assertEquals(Constants::PERMISSION_ALL, $this->aclManager->getACLPermissionsForPath('foo'));
+		$this->assertEquals(Constants::PERMISSION_ALL, $this->aclManager->getACLPermissionsForPath('foo/bar'));
+		$this->assertEquals(Constants::PERMISSION_ALL - Constants::PERMISSION_UPDATE, $this->aclManager->getACLPermissionsForPath('foo/bar/sub'));
+	}
 }
diff --git a/tests/ACL/RuleTest.php b/tests/ACL/RuleTest.php
@@ -43,39 +43,4 @@ public function testApplyPermissions($input, $mask, $permissions, $expected) {
 		$rule = new Rule($this->createMock(IUserMapping::class), 0, $mask, $permissions);
 		$this->assertEquals($expected, $rule->applyPermissions($input));
 	}
-
-	public function mergeRulesProvider() {
-		return [
-			[[
-				[0b00001111, 0b00000011],
-				[0b00001111, 0b00000011],
-			], 0b00001111, 0b00000011],
-			[[
-				[0b00001111, 0b00000000],
-				[0b00001111, 0b00000011],
-			], 0b00001111, 0b00000011],
-			[[
-				[0b00000011, 0b00000011],
-				[0b00001100, 0b00000000],
-			], 0b00001111, 0b00000011],
-			[[
-				[0b00001100, 0b00000000],
-				[0b00000011, 0b00000011],
-				[0b00001111, 0b00000100],
-			], 0b00001111, 0b00000111],
-		];
-	}
-
-	/**
-	 * @dataProvider mergeRulesProvider
-	 */
-	public function testMergeRules($inputs, $expectedMask, $expectedPermissions) {
-		$inputRules = array_map(function (array $input) {
-			return new Rule($this->createMock(IUserMapping::class), 0, $input[0], $input[1]);
-		}, $inputs);
-
-		$result = Rule::mergeRules($inputRules);
-		$this->assertEquals($expectedMask, $result->getMask());
-		$this->assertEquals($expectedPermissions, $result->getPermissions());
-	}
 }